Phone-hacking is all too easy, News Corp scandal shows

EPA/Facundo ArrizabalagaRupert Murdoch, the chairman of News Corporation, left, walks into a London hotel with Rebekah Brooks, chief executive of News International. Murdoch's media empire has come under increased scrutiny as the scandal over phone hacking at the now-defunct News of the World tabloid widens.

The media empire of Rupert Murdoch and the government of British Prime Minister David Cameron have been rocked by revelations of phone hacking by reporters at the now-defunct News of the World. How does one hack into a phone anyway?

Editorial writer Linda Ocasio spoke with Jon Peha, former assistant director of the White House Office of Science and Technology Policy. Peha, an engineering professor at Carnegie Mellon University, also is the former chief technologist for the Federal Communications Commission. He is a senior member of the Institute of Electrical and Electronics Engineers, a professional organization based in Piscataway.

Q. How does phone hacking work?

A. It could mean many things, but everything I’ve seen so far out of the News of the World case involves voice-mail hacking. Some of us have voice mail set up with no PIN (personal identification number) number. Without a PIN number, it’s easy. In some cases, a PIN number is associated with my account, but if I call in from my own number, the system doesn’t require a PIN. In this case, all a hacker has to do is fool the system into thinking the caller is calling in from the phone number of the person he’s trying to hack.

Q. How do you fool the system?

A. There are services or software that can make the call appear to come from any number you wish.

Jon Peha

Q. The voice-mail hacking in Great Britain involved two callers. How does that work?

A. I don’t know what happened in Great Britain, but my best guess would be that the first caller makes sure the second caller doesn’t get a human on the line. So the second caller gets a busy signal and goes directly to voice mail. Once you’re in voice mail, if you don’t have a PIN number, the system will automatically deliver your voice mail or prompt you to push some number for voice mail.

Q. It’s shockingly simple.

A. It gets worse. If there are PIN numbers, there are lots of ways to guess. There may be a default PIN and many customers never change from that. Or 1111 is always a good guess for a default PIN number. A birthday is a good guess. There are lots of ways to guess.

Q. And the lesson?

A. Make sure you have a PIN number, even if you call from your own phone, and make it a number not easy to guess, even by someone who knows you.

A. The processes of hacking are not that different. We’re talking about password guessing. For e-mail, make sure you have a password that someone cannot easily guess. So far, the things we’re talking about are very easy to do, to break into a system. Simple to do and simple to defend against.

Q. What about more sophisticated break-ins?

A. If I can get a piece of software to run on your phone, I can monitor all sorts of things, not just voice mail. Smartphones are designed to take more apps. Unless we defend against it, it is possible that attackers will take advantage of that ability with apps that can monitor your location or your e-mail. I would worry about the things being installed that you didn’t give informed consent to, maybe your spouse put it on, or it was put on with your knowledge but without your understanding. It’s been a problem on PCs for a long time, where this software is sometimes referred to as “spyware,” and now it’s becoming a concern with phones. One of the added concerns with phones is that my phone knows where I am.